chore: the updateConfigs api also adds a check for SAFE_PATHS

component/ca/config.go

@@ -83,7 +83,7 @@ func GetCertPool(customCA string, customCAString string) (*x509.CertPool, error)
 	if len(customCA) > 0 {
 		path := C.Path.Resolve(customCA)
 		if !C.Path.IsSafePath(path) {
-			return nil, fmt.Errorf("path is not subpath of home directory: %s", path)
+			return nil, C.Path.ErrNotSafePath(path)
 		}
 		certificate, err = os.ReadFile(path)
 		if err != nil {

component/ca/keypair.go

@@ -17,6 +17,7 @@ import (
 type Path interface {
 	Resolve(path string) string
 	IsSafePath(path string) bool
+	ErrNotSafePath(path string) error
 }
 
 // LoadTLSKeyPair loads a TLS key pair from the provided certificate and private key data or file paths, supporting fallback resolution.
@@ -42,10 +43,12 @@ func LoadTLSKeyPair(certificate, privateKey string, path Path) (tls.Certificate,
 	certificate = path.Resolve(certificate)
 	privateKey = path.Resolve(privateKey)
 	var loadErr error
-	if path.IsSafePath(certificate) && path.IsSafePath(privateKey) {
-		cert, loadErr = tls.LoadX509KeyPair(certificate, privateKey)
+	if !path.IsSafePath(certificate) {
+		loadErr = path.ErrNotSafePath(certificate)
+	} else if !path.IsSafePath(privateKey) {
+		loadErr = path.ErrNotSafePath(privateKey)
 	} else {
-		loadErr = fmt.Errorf("path is not subpath of home directory")
+		cert, loadErr = tls.LoadX509KeyPair(certificate, privateKey)
 	}
 	if loadErr != nil {
 		return tls.Certificate{}, fmt.Errorf("parse certificate failed, maybe format error:%s, or path error: %s", painTextErr.Error(), loadErr.Error())